glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex #33

New Issue

Closed

opened 2023-11-01 04:44:32 +00:00 by argoyle · 0 comments

argoyle commented 2023-11-01 04:44:32 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for glob-parent in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-ww39-953v-wcq6

Package	Severity	Affected versions	Patched versions	IDs
glob-parent (NPM)	HIGH	< 5.1.2	5.1.2	GHSA-ww39-953v-wcq6,CVE-2020-28469

Description

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-28469
• https://github.com/gulpjs/glob-parent/pull/36
• https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9
• https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092
• https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46
• https://github.com/advisories/GHSA-ww39-953v-wcq6

⚠️ `dependabot-gitlab` has detected security vulnerability for `glob-parent` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-ww39-953v-wcq6 | Package | Severity | Affected versions | Patched versions | IDs | |-------------------|----------|-------------------|------------------|----------------------------------------| | glob-parent (NPM) | HIGH | < 5.1.2 | 5.1.2 | `GHSA-ww39-953v-wcq6`,`CVE-2020-28469` | # Description This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. # References * https://nvd.nist.gov/vuln/detail/CVE-2020-28469 * https://github.com/gulpjs/glob-parent/pull/36 * https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9 * https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2 * https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093 * https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092 * https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 * https://www.oracle.com/security-alerts/cpujan2022.html * https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46 * https://github.com/advisories/GHSA-ww39-953v-wcq6

argoyle (Migrated from gitlab.com) closed this issue 2024-02-06 04:40:45 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:high

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#33